T-Pd(2018)24

Strasbourg, 05 March 2019 T-PD(2018)24

CONSULTATIVE COMMITTEE OF THE CONVENTION FOR THE PROTECTION OF INDIVIDUALS WITH REGARD TO AUTOMATIC PROCESSING OF PERSONAL DATA

Convention 108

COMPILATION OF ANSWERS TO THE QUESTIONNAIRE ON SUPERVISORY AUTHORITIES

Directorate General of Human Rights and the Rule of Law

1 TABLE OF CONTENT

QUESTIONS ...... 4 ABU DHABI GLOBAL MARKET REGISTRATION AUTHORITY ...... 5 ALBANIA ...... 6 ANDORRA ...... 7 ARGENTINA ...... 8 ARMENIA ...... 9 AUSTRIA...... 10 AZERBAIJAN ...... 11 BELGIUM ...... 13 BOSNIA AND HERZEGOVINA ...... 15 BULGARIA ...... 16 BURKINA FASO ...... 17 CABO VERDE ...... 18 CHILE ...... 19 CROATIA ...... 20 CYPRUS ...... 21 CZECH REPUBLIC ...... 22 FINLAND ...... 23 FRANCE ...... 24 GABON ...... 25 GEORGIA ...... 26 GERMANY (Federal Commission) ...... 27 GHANA ...... 28 GREECE ...... 29 HUNGARY ...... 30 ICELAND...... 31 IRELAND...... 32 ISRAEL ...... 33 ITALY ...... 34 JAPAN ...... 35 LATVIA ...... 36 LIECHTENSTEIN ...... 37

2 LUXEMBURG ...... 38 MAURITIUS ...... 39 MEXICO ...... 40 MOLDOVA ...... 41 MONACO ...... 42 MONTENEGRO ...... 43 NORTH MACEDONIA ...... 44 NORWAY ...... 45 POLAND ...... 46 PORTUGAL ...... 47 THE PHILIPPINES ...... 48 ROMANIA ...... 49 SAN MARINO ...... 50 SENEGAL ...... 51 SERBIA ...... 52 SLOVAK REPUBLIC ...... 53 SLOVENIA...... 54 SPAIN ...... 55 SWEDEN ...... 56 SWITZERLAND ...... 57 TUNISIA ...... 58 UNITED KINGDOM ...... 60 EUROPEAN DATA PROTECTION SUPERVISOR (EDPS) ...... 61

3 QUESTIONS

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country. b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other? c. What is the length of their mandate? Is it renewable? If so, how many times?

4 ABU DHABI GLOBAL MARKET REGISTRATION AUTHORITY

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

ADGM: As per Article 11 of Abu Dhabi Law No. 4 of 2013, the Head of the Registration Authority must be appointed by a resolution of the ADGM Board of Directors.

b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

ADGM: The ADGM Board of Directors, which is the governing body of the Abu Dhabi Global Market jurisdiction. The Board Members are representatives of the Government of Abu Dhabi, UAE.

c. What is the length of their mandate? Is it renewable? If so, how many times?

ADGM: The mandate of the Registration Authority’s Head is open ended.

5 ALBANIA

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

The Assembly determines the remuneration of the Commissioner, the organizational structure and remuneration for the employees of the Commissioner’s Office. Employees enjoy the status of civil servants. The Information and Data Protection Commissioner is a monocratic authority. The Assembly of Albania elects the Commissioner upon proposal of the Council of Ministers by a simple majority of the votes.

b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

The Commissioner is elected by the Assembly upon a proposal of the Council of Ministers for a 5 year term.

c. What is the length of their mandate? Is it renewable? If so, how many times?

The Commissioner is elected by the Assembly upon a proposal of the Council of Ministers for a 5 year term eligible for re-election. The Commissioner may be elected for another term.

6 ANDORRA

Following the plenary decision to compile a first set of information about the supervisory authorities, we want to inform you of the following:

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

The Data Protection Agency of Andorra is an independent authority operating with objectivity and full independence towards the functions of national public administrations.

b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

The Director of the Data Protection Agency of Andorra as well as the two inspectors are appointed by the Parliament by a qualified majority of two thirds of the votes at the first round. Failing a majority at the first round of votes, the elected candidates will be those who obtain an absolute majority of votes at the second round.

They are appointed for a four year renewable mandate.

(Reference: Article 39 of the Personal Data Protection Act 15/2003 of 18 December)

c. What is the length of their mandate? Is it renewable? If so, how many times?

The Agency staff is subject to the applicable labour law. This does not apply to the Director and the inspectors.

7 ARGENTINA

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

The Director of the AAIP is the head of the Agencia de Acceso a la Información Pública, which is the Argentinian data protection authority (“AAIP”). The Director of the AAIP is appointed by the Argentine President through a public, open and transparent selection process: once the President nominates a candidate, a public hearing is held where citizens, non-governmental organizations, professional associations and academic bodies are allowed to present their observations regarding the candidate. After the expiration of the term for observations to be submitted, a second public hearing is held in order to evaluate the observations. Subsequently, and within seven days of the hearing, the President makes the decision to confirm or withdraw the nomination of the candidate, having to nominate a new candidate in the latter case and reopen the selection process.

b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

The Director of the AAIP is appointed by the Executive (the President).

c. What is the length of their mandate? Is it renewable? If so, how many times?

The tenure of the Director’s term of office is of five years, with the possibility to be re-elected for a single time. Before the expiration the Director cannot be removed ONLY by the President, who needs a binding approval for removal made by the Congress.

8 ARMENIA

The head of the authorised body for the protection of personal data of Armenia shall be appointed for a term of five years, by the Prime Minister of the Republic of Armenia, upon nomination of the Minister of Justice of the Republic of Armenia, on the basis of joint recommendations of at least five non- governmental organisations carrying out law enforcement activities. The candidate for the head of the authorised body nominated by the Minister of Justice of the Republic of Armenia to the Prime Minister of the Republic of Armenia must be from the list of candidacies suggested by non-governmental organisations. The procedure for recommending candidacies by non-governmental organisations shall be prescribed by the Government of the Republic of Armenia. The same person may not be appointed to the position of the head of the authorised body for the protection of personal data for two consecutive terms (i.e. same person may be appointed only for one term).

9 AUSTRIA

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

Both the head and the deputy head of the Austrian data protection authority are appointed by the Federal President on the recommendation of the Federal Government. Prior to this, an invitation to tender for a general application is issued.

b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

Federal President as the Head of State.

c. What is the length of their mandate? Is it renewable? If so, how many times?

The duration is 5 years, a reappointment is permissible. There are no legal restrictions on reappointment.

10 AZERBAIJAN

Information on current legislation on personal data protection of the Republic of Azerbaijan a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country. b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other? c. What is the length of their mandate? Is it renewable? If so, how many times?

The Law of the Republic of Azerbaijan "On Personal Data" regulates issues related to the collection, processing and protection of personal data, the formation of the personal information division of the national information space, as well as the transboundary transfer of the personal data, the state and local self-governing bodies, defines the rights and obligations of persons. Individual information means any information that lets you identify the person's identity directly or indirectly. This information may include information about the individual's name, surname, patronymic, date of birth, other identification information as well as information relating to the race or nationality of a person, family life, religious beliefs or convictions, health or information on convictions. At present, the necessary legislative base has been formed in the country for the protection of personal data. The Convention on Data Protection has been ratified by the Law of the Republic of Azerbaijan dated 30 September 2009. The "Requirements for the Protection of Personal Data" was approved by the decision of the Cabinet of Ministers of the Republic of Azerbaijan dated September 6, 2010. Requirements regulate the relationships of personal information and the protection of relevant information systems when collecting, processing, disseminating and transmitting personal data by the proprietor or operator of personal data. Supervision over the enforcement of "Personal Data Protection Requirements" is exercised by the Ministry of Transport, Communication and High Technologies of the Republic of Azerbaijan, the Ministry of Internal Affairs of the Republic of Azerbaijan, the Ministry of Justice of the Republic of Azerbaijan, the State Security Service of the Republic of Azerbaijan, the Foreign Intelligence Service of the Republic of Azerbaijan, Special State Protection Service and the Financial Market Supervisory Authority of the Republic of Azerbaijan. Necessary documents to be added to the registry (correction, cancellation) of information on new information, created in the structure, changes in its structure, information on stocks suspended, should be submitted to the Registrar no later than 20 days by the applicant. According to the decision of the Cabinet of Ministers of the Republic of Azerbaijan dated on May 17, 2010, the state information resources register is also carried out by the Ministry of Transport, Communication and High Technologies (Register Operator). The Decree of the Cabinet of Ministers of the Republic of Azerbaijan dated 17 December 2010 sets out the scope of individual information that are not required for state registration in the information systems. Creation of information resources and creation of information systems of personal information, provision of services to them is carried out only on the basis of special license in accordance with the legislation of the Azerbaijan Republic. In this case, the Ministry of Transport, Communications and High Technologies of the Republic of Azerbaijan acts as a licensing authority. During 2016-2018, licensing of activities on coordination of activities under the competence of the Ministry of Transport, Communications and High Technologies on the protection of personal data was carried out, as well as the licensing of activity on formation of information resources of personal data, creation and maintenance of information systems. During this period, the coordination of the registration of personal data and information systems was carried out in our country. At present, 27 systems are registered in the registry maintained by the Information Center.

11 Cyber Security center is established under the Ministry of Communication and Information Technologies of the Republic of Azerbaijan in accordance with 5th part of the decree 708 of the President of the Republic of Azerbaijan dated on 26 September of 2012. Also there was established the Information Security Coordination Commission by the Order of the President of the Republic of Azerbaijan number 3851 dated on 29 Mart of 2018. According to the order, there were appointed the Chairman of the Commission Deputy Chief of the Special State Protection Service of the Republic of Azerbaijan - Head of the Special Communications and Information Security Agency. Members of the Commission are Deputy Minister of Transport, Communications and High Technologies of the Republic of Azerbaijan, Deputy Minister of Internal Affairs of the Republic of Azerbaijan, Deputy Defense Minister of the Republic of Azerbaijan, Deputy Head of the State Security Service of the Republic of Azerbaijan, Deputy Head of the Foreign Intelligence Service of the Republic of Azerbaijan, Deputy Chairman of the State Agency for Social Innovations. Center is a state coordinating body which engages in coordinating the action of information infrastructure subjects, reporting about existing and potential risks at country level, educating public, private and other institutions in the field of cyber security and providing methodological assistance to them. In order to educate the users of the Cyber Security Center, recommendations on ways of protecting personal data and recommendations on preventive measures have been published on the www.cert.az website, also educational events for pupils and teachers of several Baku schools have been organized. There was organized the training by the Ministry of Transport, Communication and High Technologies on 9 February 2017 with the support of the Knowledge Foundation under the President of the Republic of Azerbaijan on "Safe Day of Internet Day" and "Day of Personal Data Protection". Training is dedicated to safe internet and personal data protection for children and adolescents under the slogan "Give your contribution to Good Internet." Cooperation within the framework of the "Trust & Security" network, one of the 6 dimensions of the Digital Market Adjustment (HDM) project implemented within the framework of the European Union Eastern Partnership Program "Economic integration and adaptation to EU policy" is continued. Along with all of this, the responsibility in the cases of violation of confidentiality of personal data relevant criminal elements and liability in concerned articles of the Criminal and Administrative Violations Codes of the Republic of Azerbaijan have been defined.

12 BELGIUM

In Belgium, there are 4 different supervisory authorities: - The Data Protection Authority - The Police Information Control Authority - The R Standing Committee - The Police Services Standing Committee The authority exercising the supervision depends on the identity of the data controller or on the purpose of the data processing. Below are the answers for each authority.

1/ Data Protection Authority a. The Data Protection Authority was set up by the Law of 3 December 2017 on the establishment of the Data Protection Authority.

The vacancies for the members of the Managing Board, of the Knowledge Centre and of the Litigation Chamber are published in the Belgian Official Gazette at least six months before the on-going mandate comes to an end and, for the 1st composition of these bodies, at least one month after the entry into force of the relevant Article. The publication takes the form of a call for applications stating the number of vacant posts, the appointment conditions, the missions of the concerned bodies and the modalities for applying (Article 39)

According to a decree adopted on 13 June 2018, the Public Federal Strategy and Support Department organises language tests.

b. The members of the Managing Board, of the Knowledge Centre and of the Litigation Chamber are appointed by the House of Representatives (Article 39). The President of the Data Protection Authority is appointed by the House of Representatives for a 6 years mandate. c. The mandates are for six years and can be renewed once (Article 37).

2/ The Police Information Control Authority a. The Police Information Control Authority was established by the Law of 30 July 2018 on the protection of, physical persons with regards to the processing of personal data (Article 71).

The vacancies for its members are published in the Belgian Official Gazette before the on-going mandates come to an end. The publication takes the form of a call for applications stating the number of vacant posts, the appointment conditions, the missions of the concerned bodies and the modalities for applying. b. Police Information Control Authority has three effective full time members, of which a President. They are all appointed by the House of Representatives which can dismiss them in case the conditions stipulated under Article 232 are no longer met or on serious grounds (Article 231, §1).

13 Besides, the Authority has an investigation department composed of three members effectifs, which exclusively reports to the supervisory body. Its members are appointed by the supervisory Authority which can also dismiss them in case the conditions stipulated under Article 232 are no longer met or on serious grounds (Article 231, §4 and 5). c. The members of the Police Information Control Authority are appointed for a six years mandate starting for the taking of an oath and can be renewed once. Once their mandate has come to an end, the members continue to carry out their duties until the date of their successors’ oath. (Article 231, §2).

The members of the investigation department are appointed for a six years renewable mandates (Article 231, §5).

3/ The Standing Committee R a. The standing Committee R was set up by the Organic Law on Supervision of Police and Intelligence Services and of the Coordination Authority for the Analysis of Threats of 18 July 1991. It is designated as supervisory authority under the Articles 95, 128, 161 and 184 of the Law on the Protection of Physical Persons with regards to the Processing of Personal Data of 30 July 2018. Vacant posts for its members are published in the Belgium official gazette before the end of the on-going mandates as a call for applications that states the number of vacancies, the appointment conditions, the missions of the concerned bodies and the modalities for applying. b. The Standing Committee R is composed of three effective members, of which one President. They are all appointed by the House of Representatives that can dismiss them in case they carry out functions or activities, are employed or have a mandate as referred to by sub-paragraph 4 or Article 28 of the Organic Law, or on serious grounds (Article 28 of the Organic Law). The Standing Committee R is assisted by a Registrar, also appointed by the House of Representatives (Article 29 of the Organic Law). c. The members of the Standing Committee R are appointed for a renewable six year mandate, starting from their taking of oath. At the end of their mandate, they continue to carry out their functions until the oath of their successors. Substitutes are also appointed for a six years mandate starting when the post holders take their oath (Article 30 of the Organic Law).

4/ The Standing Supervisory of Police Services Committee a. The Standing Supervisory Police Services Committee was set up by the Organic Law on Supervision of Police and Intelligence Services and of the Coordination Authority for the Analysis of Threats of 18 July 1991. It is designated as supervisory authority under the Articles 161 of the Law on the Protection of Physical Persons with regards to the Processing of Personal Data of 30 July 2018. Vacant posts for its members are published in the Belgium official gazette before the end of the on-going mandates as a call for applications that states the number of vacancies, the appointment conditions, the missions of the concerned bodies and the modalities for applying. b. The Standing Supervisory Police Services Committee is composed of three effective members, of which one President and one Vice-President. Each has two substitutes. They are all appointed by House of Representatives that can revoke them in case they carry out functions or activities, are employed or have a mandate as referred to by sub-paragraph 4 or Article 4 of the Organic Law, or on serious grounds (Article 4 of the Organic Law). The Standing Supervisory Police Services Committee is assisted by a Registrar, also appointed by the House of Representatives (Article 5 of the Organic Law). c. The members of the Standing Supervisory Police Services Committee are appointed for a renewable six year mandate, starting from their taking of oath. At the end of their mandate, they continue to carry out

14 their functions until the oath of their successors. Substitutes are also appointed for a six years mandate starting when the post holders take their oath (Article 6 of the Organic Law).

BOSNIA AND HERZEGOVINA

Appointment procedure and length of the mandate of Director and deputy Director of the Personal Data Protection Agency in Bosnia and Herzegovina is regulated by the Law on Protection of Personal Data (Official Gazette of Bosnia and Herzegovina 49/06, 79/11 and 89/11; hereinafter: the Law).

The Agency shall be managed by the Director of the Agency (hereinafter: the Director). The Director shall be responsible for his/her work and the work of the Agency to the Parliamentary Assembly of Bosnia and Herzegovina. The Director shall have one deputy. The Deputy Director shall replace the Director during his/her absences and perform duties assigned to him/her by the Director. Director and deputy Director are appointed by the Parliamentary Assembly of Bosnia and Herzegovina for a term of five years, possibly of reappointment. Therefore, according to the interpretation of the current legal provisions, it is clear that it is referred to the possibilities or reappointment for several times.

Please note that the first version of the law provided for a Director’s mandate for four years period and Amendments to the Law of 2011 have changed it so that now the mandate of the Director and deputy Director is for a term of five years.

Besides general requirements, the candidate for the Director and deputy Director must have: Education – Bachelor of Law, at least VII level of education, i.e. the Bologna system of study, with 240 ETCS points earned; five years of experience in management in administration; demonstrated experience in the field of human rights; and recognized high moral status.

The Agency’s staff shall be civil servants and employees (administrative and technical staff). The employment relations of the civil servants working in the Agency shall be regulated by the Law on Civil Service in the Institutions of Bosnia and Herzegovina. The employment relations of the employees shall be regulated by the Labour Law for Institutions of Bosnia and Herzegovina. Positions of the civil servants and other employees shall be regulated by the Rulebook on Internal Organisation.

BULGARIA

The Bulgarian Commission for Personal Data Protection is independent, jointly governed authority and consists of Chair and four Members.

They are elected by the National Assembly after a proposal from the Council of Ministers.

The length of their mandate is 5 years and they can be re-elected for another mandate.

16 BURKINA FASO

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

The members of the Commission de l’Informatique et des Libertés (CIL) come from various origins: civil society, the executive, the legislative and the judiciary sectors. They are proposed by the body they belong to and appointed by decree by the Council of Ministers (Article 27 of the Law 010-2004/AN of 20 April on the protection of personal data).

b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

The President of the Faso appoints the president of the Commission among the members of the Commission de l’Informatique et des Libertés (Article 28 of the Law 010-2004/AN of 20 April on the protection of personal data).

c. What is the length of their mandate? Is it renewable? If so, how many times?

The mandate is for five years and is can be renewed once (Article 29 of the Law 010-2004/AN of 20 April on the protection of personal data).

17 CABO VERDE

The answers to the following questions are to be found in the Law n.° 42 /VIII/2013 of 17 September that fixes the rules for the composition, the competency, the organisation and the operation of the National Data Protection Commission (CNDP), as well as the status of its members. a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

The CNPD is composed of three persons with acknowledged competency and moral probity, who are elected by the National Assembly by a two third majority of the present MPs under the condition that the said majority be higher that the absolute majority of active MPs. Prior to the election, candidates are interviewed by the Parliamentary Commission responsible for fundamental rights. The Commission gives an opinion on the candidates according to the CNDP remit in a report. The members of the CNDP are appointed by the President of the National Assembly two weeks after the publication of the resolution approving their election. b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

The Chair of the CNPD rotates between the members every two years along the alphabetical order. c. What is the length of their mandate? Is it renewable? If so, how many times? The members of the CNDP have a six years mandate ending at the moment of entry into function of the new ones, and can be renewed one.

18 CHILE

Chilean Data Protection Supervisory Authority

The Chilean Transparency Council (the Council), created by the Law on Transparency of Public Functions and Access to Information of State Administration, is the public authority responsible for ensuring adequate compliance with data protection laws by State administration bodies.

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

The overall direction and management of the Council is led by a Board composed of four commissioners appointed by the President of the Republic, with the prior agreement of the Senate, adopted by two thirds of its members.

b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

The Board itself elects the Council chairperson from among its members. In case there is no agreement, the appointment must be made by the drawing of lots. It should be noted that the chairmanship of the Board rotates among its members. In this way, the Council chairperson lasts eighteen months in office, and cannot be re-elected.

c. What is the length of their mandate? Is it renewable? If so, how many times?

The commissioners serve six-year terms, and may be re-elected to serve a second term (only once). Half of the Board members are replaced every three years.

19 CROATIA

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

According to Article 7 of the Act on the Implementation of the General Data Protection Regulation (Official Gazette 42/2018), the central state administration body competent for the state administration system shall publish a public call for submission of candidacies for the Director and the Deputy Director not later than six months before the expiry of the term of office of the Director and the Deputy Director or not later than 30 days after the cessation of their duty if their duty ceased before the expiry of their term of office. The central state administration body competent for the state administration system shall forward the submitted candidacies to the Government of the Republic of Croatia, indicating which candidates have submitted timely and complete candidacies. The Government of the Republic of Croatia shall make a proposal of candidates for the Director and the Deputy Director and shall refer it to the Croatian Parliament.

b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

The Director and the Deputy Director of the Croatian Personal Data Protection Agency shall be appointed by the Croatian Parliament at the proposal of the Government of the Republic of Croatia, on the basis of a public call for submission of candidacies.

c. What is the length of their mandate? Is it renewable? If so, how many times?

The Director and the Deputy Director shall be appointed for a term of four years and may not be appointed for that duty for more than two terms of office.

20 CYPRUS

Further to the agreement of the Plenary (item 2.6 of the abridged report), please find below our replies with regard to the appointment of the Commissioner.

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

Answer CY: The Commissioner for Personal Data Protection is appointed by the Council of Ministers, upon the recommendation of the Minister of Justice and Public Order (article 19 of Law 125(I)/2018).

b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

Answer CY: The office staff is composed of public servants. According to the domestic law 125(I)/2018, the Commissioner shall be involved in the procedure for the selection of the Office’s staff and the staff shall be subject to the exclusive direction of the Commissioner.

c. What is the length of their mandate? Is it renewable? If so, how many times?

Answer CY: The term of office of the Commissioner is for a period of six years, renewable for one more term (article 19 of Law 125(I)/2018).

21 CZECH REPUBLIC

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

The DPA head is appointed by the president of the republic on the basis of nomination by the Senate (upper chamber of the parliament). The same procedure apply for the nomination of the DPA inspectors (there are seven of them). However, circumstances around the present procedure will change once the draft law adapting the GDPR is adopted.

b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

Head of State on the proposition by the Senate (please see bullet point a)

c. What is the length of their mandate? Is it renewable? If so, how many times?

The term of office of the DPA head is 5 years and may be renewed once. The inspectors have a mandate of ten years and is renewable as well.

22 FINLAND

The Finnish data protection legislation has recently been amended, and the competence of the Data Protection Ombudsman is based on the new Data Protection Act (1050/2018), with entry into force on 1 January 2019, which supplements the GDPR of the EU. The office of the Data Protection Ombudsman is also reorganised in accordance with the new Act.

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

The Office of the Data Protection Ombudsman in Finland consists, in addition to the Data Protection Ombudsman, of at least two Deputy Data Protection Ombudsmen and a necessary number of personnel. The appointments of the personnel are made by the Data Protection Ombudsman, with the exception of the Deputy Data Protection Ombudsmen.

There is an advisory board within the Office of the Data Protection Ombudsman, which does not work full time but is convened where necessary to provide opinions on data protection issues on the request of the Data Protection Ombudsman. The advisory board consists of a president, vice president and three other members. Each of them has an alternate member. The advisory board is set up by the Government (plenary session) for a period of three years.

b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

The Data Protection Ombudsman and the Deputy Data Protection Ombudsmen are appointed by the Government (plenary session) for a period of five years.

c. What is the length of their mandate? Is it renewable? If so, how many times?

The Data Protection Act does not limit the renewal of the mandate, but a new appointment is needed after the expiry of the period of five years.

23 FRANCE

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

The Commission nationale de l'informatique et des libertés (CNIL) is an independent administrative authority composed of an 18 members college, who are elected or designated by the assemblies or jurisdiction. They represent, or appointed by a Government decree, as precised under b.

b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

The members of the CNIL are elected, designated or appointed as follows:

- Two members of parliament and two senators, designated respectively by the National Assembly and the Senate; - Two members of the Economic, Social and Environment Council, elected by that Council; - Two members or former members of the Council of State, elected by the General Assembly of the Council of State; - Two members or former members of the Court of cassation, elected by the General Assembly of the Court of cassation; - Two members or former members of the Court of Auditors, elected by the General Assembly of the Court of Auditors; - Three qualified persons recognised for their knowledge of the digital environment and of issues related to individual freedoms, appointed by decree; - Two qualified persons recognised for their knowledge of the digital environment and of issues related to individual freedoms, designated respectively by the President of the National Assembly and the President of the Senate; - The President of the Commission for access to administrative documents or his/her delegate.

Besides, the College includes the Ombudsman or his/her delegate, with a consultative voice.

The President of the CNIL is appointed by decree by the President of the Republic among the members of the College.

c. What is the length of their mandate? Is it renewable? If so, how many times?

The members of the CNIL have a five years mandate, renewable once. Except for the President, half of the College is renewed or changed every two and a half year.

24 GABON

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

According to Articles 17 and 18 of the Law n°01/2011 of 25 September 2011 on protection of personal data, the members of the CNPDCP are designated as follows:

1- The 9 standing Commissioners:

- Three are persons designated by the President of the Republic, among which the President of the Commission; - One Magistrate member of the Council of State upon proposal by its President; - One Magistrate member of the Court of Cassation upon proposal by it’s the First President; - One Advocate designated by the Bar; - One Medical Doctor designated by the Doctors Association; - One representative of Human Rights defence organisations designated by his/her peers ; - One ICT expert designated by the Minister in charge of Digital Economy.

2- The 4 non-standing Commissioners:

- One Member of the Parliament designated by the President of the National Assembly; - One Senator designated by the President of the Senate; - One Government Commissioner designated by the Prime Minister; - One representative of employers of Gabon designated by his/her peers.

b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

The authorities responsible for the appointments of designation of the members of the CNPDCP are the following:

1- the President of the Republic, who appoints the President and two members; 2- the President of the Council of State; 3- the First President of the Court of Cassation; 4- the Bar; 5- the Doctors Association; 6- the Human Rights defence oganisations ; 7- the Minister in charge of Digital Economy ; 8- the President of the National Assembly; 9- the President of the Senate; 10- the Prime Minister; 11- the Association of employers of Gabon.

c. What is the length of their mandate? Is it renewable? If so, how many times?

The provisions of Article 25 of the above mentioned Law stipulates that the mandates of the standing members of the National Commission on Personal Data Protection should be for 5 years and can be renewed once. However, the mandates of non-standing Commissioners are linked to the mandate of their functions of origins (if a Member of Parliament or a Senator loses his/her mandate, the Commissioner mandate is automatically ended.

25 GEORGIA

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

Appointment procedure of the Personal Data Protection Inspector of Georgia is defined by the Law on Personal Data in details and it incorporates several stages.

Except from the procedures of appointment of the Inspector, the Law on Personal Data Protection further defines the detailed criteria of the applicant’s eligibility to be appointed as the Inspector. The Personal Data Protection Inspector shall a citizen of Georgia, with higher education in Law with at least 5 years of work experience in human rights, as well as relevant professional and personal ethics.

According to the law, initially, Prime-Minister forms the Competition Committee. The Competition Committee, by the majority of the vote, shall nominate at least 2 but not more than 5 candidates from the applicants and submit the proposed candidates to the Prime-Minister of Georgia.

Afterwards, the Prime-Minister shall nominate minimum 2 candidates to the Parliament of Georgia within the 10-days period. Within the next 14 days, the Parliament of Georgia elects the Personal Data Protection Inspector in accordance with the rules of procedure of the Parliament.

b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

The Personal Data Protection Inspector is elected by the Parliament of Georgia. However, in election procedures there are involved the Prime Minister of Georgia and the Competition Committee. The composition of Competition Committee is established by the law and it shall consist of: a) Representative of the Government of Georgia; b) The Chairman of the Human Rights and Civil Integration Committee of the Parliament of Georgia; c) The Chairman of the Legal Issues Committee of the Parliament of Georgia; d) The Deputy Chairman of the Supreme Court of Georgia; e) The First Deputy or the Deputy Head of the Chief Prosecutor of Georgia; f) The Public Defender of Georgia or representative of the Public Defender of Georgia; g) A person appointed by Public Defender of Georgia, selected from the non-entrepreneurial (non- commercial) legal persons, who has the experience of working in the sphere of human rights and/or personal data protection.

c. What is the length of their mandate? Is it renewable? If so, how many times?

The Personal Data Protection Inspector is elected for 3 years. The same person may be appointed to the position of Inspector for only two consecutive terms.

26 GERMANY (Federal Commission)

a) Describe the election/appointment procedure of the member/s of the supervisory authority in your country. b) Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

According to Article 53 paragraph 1 of the General Data Protection Act (GDPR) Member States shall provide for members of their supervisory authorities to be appointed by means of a transparent procedure by:  their parliament;  their government;  their head of State; or  an independent body entrusted with the appointment under Member State law.

Section 11 of the German Federal Data Protection Act (BDSG; the Act can be found at: https://www.bgbl.de/xaver/bgbl/start.xav?startbk=Bundesanzeiger_BGBl#__bgbl__%2F%2F*%5B %40attr_id%3D%27bgbl117s2097.pdf%27%5D__1519203215836, or https://germanlawarchive.iuscomp.org/?p=712) covers the requirements of Art. 53 GDPR and establishes the following procedure for the Federal Commissioner:

According Section 11 paragraph 1 BDSG, at the proposal of the Federal Government, the German Bundestag shall elect without debate the Federal Commissioner with more than half of the statutory number of its members. The person elected shall be appointed by the Federal President. The Federal Commissioner must be at least 35 years old at the time of election. He or she shall have the qualifications, experience and skills, in particular in the area of the protection of personal data, required to perform his or her duties and exercise his or her powers. In particular, the Federal Commissioner must have knowledge of data protection law acquired from the relevant professional experience and be qualified for judicial office or higher administrative service.

c) What is the length of their mandate? Is it renewable? If so, how many times?

The Federal Commissioner’s term of office shall be five years. It may be renewed once (Section 11 paragraph 3 BDSG).

27 GHANA

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

Appointment established by in the Act of Parliament.

b. Which institution appoints the head or members of the DPA – the Parliament, Government, Head of state, other?

The appointment is made by the President of the Republic. c. What is the length of their mandate? Is it renewable? If so, how many times?

Permanent The President appoints the Executive Director (Commissioner) in a Perrmanent Full Time Contract whilst other members of the board are on a 3 year term only (The Ghana ACT, Secrt 5(2&4). Members of the Authority’s Board of Directors may be eligible for a second term too.

28 GREECE

The members of the Supervisory authority are selected following a decision issued by the conference of the Presidents of the Hellenic Parliament, according to article 101A of the Constitution, after prior recommendation from the Committee of Institutions and Transparency, in accordance to the provisions of the Bylaws of the Parliament.

The decision of the conference of the Presidents of the Hellenic Parliament is promptly sent to the competent Minister, who must issue the act of the appointment within 15days after the notification.

c. What is the length of their mandate? Is it renewable? If so, how many times?

The President and the members of the supervisory authority are appointed for a four year term, renewable only once. The term of the three members (of the total six) is renewed (rotation system) biannually.

29 HUNGARY

The head of the Hungarian Authority is its president. The president of the Authority is appointed by the President of the Republic, based on the recommendation of the Prime Minister.

The president of the Authority is selected from those Hungarian citizens who have a law degree and the right to stand as candidates in parliamentary elections, have at least ten years of experience in supervising procedures related to data protection or freedom of information, or who hold an academic degree in either of those fields. Persons who served as a member of the National Assembly or as a Member of the European Parliament, as a national minority advocate, as the President of the Republic, as a member of the Government, as a state secretary, as a representative of a local government, as a mayor or deputy mayor, as a lord mayor or deputy lord mayor, chair or deputy chair of a county assembly, a member of a national minority government, or an officer or employee of a political party in the four-year period before the recommendation for appointment shall not be appointed as president of the Authority.

The President of the Republic shall appoint the president of the Authority for a term of nine years. After the termination of his mandate, the president of the Authority may be reappointed as the president of the Authority on one occasion.

Upon being appointed, the president of the Authority shall take an oath before the President of the Republic in accordance with the Act on the oath and vow taken by certain public officials.

30 ICELAND

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

Members of the Data Protection Authority's board are appointed by the Minister of Justice. Two board members (the chairperson and vice chairperson, who are both lawyers and required to be qualified to serve as judges) are appointed without nomination, one is nominated by the minister responsible for Telecommunications and Cyber Security, one is nominated by the Minister of Health, and one is nominated by SKÝ (The Icelandic Computer Society). The board member nominated by SKÝ has to be a specialist in the field of computers and technology. All board members (as well as their substitutes, who are appointed according to the same procedure) need to have knowledge of data protection and an appropriate education.

The Data Protection Commissioner is appointed by the Minister of Justice after being nominated by the board of the DPA. The Data Protection Commissioner needs to have a university degree as well as knowledge and experience in the field of data protection.

The Data Protection Commissioner then selects his staff.

b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

The Data Protection Commissioner is appointed by the Minister of Justice (the government) after being nominated by the board of the DPA.

c. What is the length of their mandate? Is it renewable? If so, how many times?

Board members are appointed by the Minister of Justice for a term of 5 years, limited to 3 consecutive terms. The Data Protection Commissioner is appointed for a term of 5 years, which is renewable every 5 years for an unlimited time.

31 IRELAND

A. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

Members of the Data Protection Commission (as distinct from staff) are called Commissioners. The conditions for the appointment of members of the Data Protection Commission (referred to as “commissioners”) are set out in section 15 of the Data Protection Act 2018, which provides for the appointment of a maximum of 3 Commissioners and that commissioners shall be appointed by the Government on the recommendation of the Public Appointments Service (PAS) following an open selection competition. PAS is required to appoint a selection panel to assist it in holding the open competition and to ensure that a person is recommended for appointment only if it is satisfied that “the person has the qualifications, experience and skills necessary to enable the Commission to effectively perform its functions”.

B. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

The Government is responsible for appointing members of the Data Protection Commission. Where more than one Commissioner is appointed, the Minister for Justice and Equality appoints one Commissioner to be chairperson.

C. What is the length of their mandate? Is it renewable? If so, how many times?

In accordance with section 15(3) of the 2018 Act, the appointment shall be for a period of not less than 4 and not more than 5 years from the date of a commissioner’s appointment. Section 15(8) states that a commissioner may be reappointed for one further period of not less than 4 and not more than 5 years.

The Data Protection Act 2018 is available at: http://www.irishstatutebook.ie/eli/2018/act/7/enacted/en/html

32 ISRAEL

The Israeli Database Registrar, whom is the head of the Privacy Protection Authority (the "Registrar"), is appointed by the Government of Israel (cabinet of Ministers), based on the recommendation of the Minister of Justice which is given following a selection process conducted by a "search committee". The procedures by which the "search committee" operates are defined in section 11.968 ("Appointment by a Search Committee") of the Civil Service Regulations, which applies to positions of high ranking officials in the Israeli administration which are of scientific, professional, regulatory and/or public interest type. According to government decision no. 4660 dated January 19th 2006, the search committee is comprised of five members, and is headed by the director general of the Ministry of Justice. Other members are: A senior civil servant lawyer who is knowledgeable in the field of data protection appointed by the Director General of the Ministry of Justice in consultation with the Commissioner Public Service, Deputy to the Civil Service Commissioner, Privacy expert from the private sector and a Privacy expert from the academia . As mentioned above, the committee's decision is brought by the Minister of Justice, to the cabinet for approval. According to government decision number 4470 dated February 8th, 2009, the length of the appointment is 6 years and it is not renewable in order to ensure independence during the term.

33 ITALY

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

The 4 members of the Garante per la protezione dei dati personali (“Garante”) are elected (2) by the Chamber of Deputies and (2) by the Senate. The Commissioners are elected among the applicants to a public call which must be published on the websites of both the Chamber and the Senate at least 60 days before the election. Candidates’ c.v. must be available on the said websites. Candidates must ensure their independence and well proven experience in data protection, in particular with respect of the legal or technological field.

b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

As said before, the Parliament elects the 4 members of the SA. The 4 elected members designate among themselves the President, whose vote prevails in the event of a tie. The members also designate the vice-President who takes over the functions of the President in case of his/her absence or impediment.

c. What is the length of their mandate? Is it renewable? If so, how many times?

The mandate lasts 7 years and it is not renewable

34 JAPAN

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

At PPC Japan (Personal Information Protection Commission Japan), the Commission is composed of a chairperson and eight commissioners. A Chairperson and the Commissioners are to be appointed by the Prime Minister with consent of both Houses of the Diet from among those with high character and deep insight.

b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

As stated above, a Chairperson and the Commissioners are to be appointed by the Prime Minister with consent of both Houses of the Diet from among those with high character and deep insight.

c. What is the length of their mandate? Is it renewable? If so, how many times?

The term of office for a Chairperson and for the Commissioners is to be five years. They may be reappointed. The law does not stipulate any restriction regarding the number of times of reappointment.

35 LATVIA

1. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

According to the Personal data processing law of Latvia the Data state Inspectorate (DPA) shall be managed and represented by its Director. The Cabinet of Ministers (hereafter – the Cabinet) shall appoint the Director of the Inspectorate for a period of five years upon recommendation of a commission established by the Cabinet. The Cabinet shall announce an open competition for the office of the Director of the Inspectorate, lay down conditions and procedures by which candidates may apply for the office of the Director of the Inspectorate, as well as the procedures for selecting and evaluating candidates. Selection of the candidates for the office of the Director of the Inspectorate shall be performed by a commission which is chaired by the Director of the State Chancellery. The commission shall be composed of the Director of the State Chancellery, the Minister for Justice, the ombudsman and the Chief of the Security Police. Authorised representatives of not more than three associations and foundations which operate in the area of human rights or data protection shall participate in the selection of the candidates for the office of the Director of the Inspectorate in advisory capacity. Provisions laid down in other laws and regulations regarding performance, assessment of results thereof, suspension and disciplinary liability of the head of an institution, as well as other legal norms restricting independence of the Director of the Inspectorate shall not apply to the Director of the Inspectorate.

According to the Personal data processing law the Director of the Inspectorate shall:

1) perform the functions of the head of an institution of direct administration laid down in the State Administration Structure Law; 2) establish advisory councils, as well as working groups for the examination of issues in the areas of competence of the Inspectorate; 3) participate in the meeting of the State Secretaries, meetings of the committees of the Cabinet, and Cabinet meetings in an advisory capacity; 4) appoint and remove from the office officials and employees of the Inspectorate; 5) approve by-laws of the Inspectorate; 6) determine offices of officials and employees in the Inspectorate.

2. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

The head of the Inspectorate is appointed by Government (in Latvia – the Cabinet of Ministers) upon the recommendation of the special commission (see answer No.1.).

3. What is the length of their mandate? Is it renewable? If so, how many times?

The length of the mandate of the director of the Inspectorate is 5 years. The same person may be the Director of the Inspectorate for not more than two consecutive terms. This means no longer than 10 years.

36 LIECHTENSTEIN

The National Parliament elects the President of the Data Protection Authority upon proposal by the Government for a six years mandate. The President can be re-elected without limitation.

The other members of the Authority are recruited by the Government upon proposal of the President of the Authority.

Regarding them, the provisions related to transfers and dismissal included in the Law on State staff apply. Any request to the Government for a transfer or termination of functions should be done by the President of Authority. In general, the other members of the staff have a standing work contract.

37 LUXEMBURG

Please, find below the answers to the questions related to the appointment procedure for members of the Data Protection Authority in Luxemburg, according to the Law of 1 August 2018 on the organisation of the National Commission for Data Protection and the implementation of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country. Art.16. The CNPD is a collegial body counting four (full time) members, of which the President, (and four deputy members who are also engaged in other professional activities deemed not incompatible with their position at the CNDP). Following a public call for applications, a short list of candidates, presented by order of preference, is established by the Prime Minister’s Office on the basis of one or more interviews by an informal jury. The Prime Minister submits his/her proposals to the Government for decision.

Art. 18. The Council of Government makes proposals to the Grand Duke for the members of the college and their deputies who are Luxemburg nationals and fulfil the criteria for the competition for A1 handling group. They are appointed on the basis of their skills and experience of personal data protection. Vacant posts for college members are published at the latest six months ahead of the expiration of the mandates. The publication is a call for applications indicating the number of vacant posts, the appointment conditions, the missions of the body to be formed and the modalities for applying.

Art. 19. Prior to starting his/her functions, the President takes an oath before the Grand Duke or his representative.

b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

Art.17. Members of the college and their deputies are appointed and dismissed by the Grand Duke upon proposal by the Government Council. The President is designated by the Grand Duke.

c. What is the length of their mandate? Is it renewable? If so, how many times?

Members of the college and their deputies have a six year mandate, renewable once.

38 MAURITIUS

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

The Ministry of Technology, Communication and Technology informs the Public Service Commission & Disciplined Forces Service Commission about the vacant post. The Public Service Commission & Disciplined Forces Service Commission advertises for the post, conducts interview and appoints the candidate. However, the Ministry of Technology, Communication and Technology confirms the appointment of the candidate as public officer.

The Public Service Commission, by virtue of Section 88 of the Constitution, was established under the Public Service Commission Ordinance No. 23 of 1953 and came into operation on 11 May 1955. The Disciplined Forces Service Commission was established, by virtue of Section 90 of the Constitution, and its origin can be traced back to 1958. The PSC and DFSC are the main recruiting Constitutional bodies for the Public Service in Mauritius.

b. Which institution appoints the head or members of the DPA – the Parliament, Government, Head of state, other?

In accordance with Section 88 of the Constitution (as amended by Act No. 5 of 1997), the Chairperson, Deputy Chairpersons and Commissioners are appointed by the President of the Republic of Mauritius after consultation with the Prime Minister and the Leader of the Opposition. The Public Service Commission & Disciplined Forces Service Commission appoints the officers of the DPA.

c. What is the length of their mandate? Is it renewable? If so, how many times?

The Data Protection Commisionner is recruited by the Public Service Commission on a permanent basis.

The appointment is done on a substantive basis.

39 MEXICO

QUESTIONS ON SUPERVISORY AUTHORITIES

1. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

In accordance with article 6, paragraph A, section 8, of the Mexican Political Constitution, the supervisory authority is composed of seven commissioners. For their appointment, the Senate of the Republic, after carrying out a broad consultation of the society, which is based upon a proposal emitted by parliamentary groups, with the vote of two thirds of the members present, will appoint the commissioner to fill the vacancy, following the process established in the law. The appointment may be objected by the President of the Republic within a period of ten working days. If the President of the Republic does not object to the appointment within said term, the person appointed by the Senate of the Republic shall hold the position of commissioner.

If the President of the Republic objects to the appointment, the Senate will present a new proposal, in the terms of the previous paragraph, but with a vote of three-fifths of the members present. If this second appointment is objected, the Senate, in the terms of the previous paragraph, with the vote of three fifths of the members present, will designate the commissioner who will fill the vacancy.

In accordance with article 30 of the Federal Law of Transparency and Access to Public Information, the President Commissioner will be elected in public session through the secret voting system by the seven commissioners. It will require the attendance of all the commissioners and at least five votes in favor.

2. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

In accordance with article 76, section 12, of the Mexican Political Constitution, the Senate of the Republic has the exclusive faculty to appoint the commissioners of the supervisory authority established in article 6 of the said Constitution, in the terms established by it and the provisions provided in the law.

3. What is the length of their mandate? Is it renewable? If so, how many times?

In accordance with article 6, paragraph A, section 8, of the Mexican Political Constitution, the length of a Commissioner’s mandate will be 7 years and it is not renewable.

40 MOLDOVA

According to art. 22 of Law no. 133 of 08 July 2008 on the protection of personal data, the Centre is led by a director appointed by the Parliament upon the proposal of the President of Parliament, a parliamentary fraction or a group of at least 15 MPs, with the vote of the majority of elected deputies, for a term of 5 years. The appointed person may hold the position of director for not more than two consecutive mandates.

41 MONACO

Reference texts:

- Law n°1.165 of 23 December 1993 on protection of nominative information, modified by the Law n° 1353 of 4 December 2008 - Sovereign Ordinance n° 2.230 establishing the modes of implementation of the law n°1.165 of 23 December 1993 on processing of nominative information, amended by the Law n° 1353 of 4 December 2008 on protection of nominative information. °°° a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

The supervisory authority of Monaco is a collegiate body. It is called the « COMMISSION DE CONTROLE DES INFORMATIONS NOMINATIVES» (C.C.I.N). The Commission is an independent authority and counts six members. The members are proposed according to their competency as follows: 1 - one member proposed by the National Council (elected assembly); 2 - one member proposed by the Council of State; 3 - one member proposed by the State Minister (Head of State); 4 - one sitting magistrate proposed by the Director of Legal Services; 5 - one member proposed by the City Council; 6 - one member proposed by the Economic and Social Council. Proposals for the appointment of new members or the renewal of existing mandates must be sent within six months of termination of the prior mandates. They should not concern people belonging to the authorities, councils and institutions that make them.

Being member of the Commission is incompatible with being - national or city councillor; - state councillor; - magistrate in office, except for the member proposed by the Director of Legal Services; - civil servant or employee of the State, the city or a public institution; - or with holding a position or shares in Monaco or foreign companies involved in manufacturing IT or telecommunication materials or in providing IT or telecommunication services.

b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

Once designated according to the procedure described under a), members of the Commission are appointed by way of a Sovereign Ordinance signed by SAS the Prince. The President and the vice-President are elected by the members of the Commission among them by an absolute majority of the votes. In performing their duties, the members of the Commission shall not receive instructions from any authority or body. The President shall have deciding vote in case of a tie. c. What is the length of their mandate? Is it renewable? If so, how many times?

The members have a five years mandate, renewable once. Unless resignation or impediment, their mandate cannot be terminated before its term. In the case where the President puts an end to his/her functions or is not any longer in capacity to carry them out, the vice-President temporally takes over until the election of a new President and a new vice- President.

42 MONTENEGRO

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

The Parliament of Montenegro announces a public invitation for the members of the Council and the candidates apply. The Administrative Board carries out selection and proposes candidates to the Parliament, the Parliament then appoints.

b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

The president and the members of the Council are appointed by the Parliament of Montenegro.

c. What is the length of their mandate? Is it renewable? If so, how many times?

The length of their mandate is five years. It is renewable, maximum two times.

43 NORTH MACEDONIA

The appointment procedure of the director of the Macedonian DPA is stipulated with the Law on Personal Data Protection (https://www.dzlp.mk/sites/default/files/Law_on_Personal_Data_Protection_Cleared_version_0.pdf)

Pursuant to this law, Directorate is managed by a Director, appointed and dismissed by the Assembly of the Republic of Macedonia (The Parliament) upon the proposal of the Commission for Election and Appointment Matters of the Assembly of the Republic of Macedonia.

A public announcement for appointment of a director is published in at least three daily newspapers that are printed on the whole territory of the Republic of Macedonia one of which is a newspaper printed in a language spoken by at least 20% of the citizens who speak an official language other than the Macedonian.

The director of the Directorate is appointed for a period of five years, with a right to be re-appointed, but no more than twice. The director of the Directorate also has a deputy, who’s appointed through the same procedure as for the director.

44 NORWAY

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

The director, i.e. the head of the DPA, is the only person in the Norwegian DPA who is considered a member of the supervisory authority for the purposes of the GDPR. In accordance with the general rules in the Norwegian Government Officials Act (“Statsansatteloven”), the position as director of the Norwegian DPA shall be advertised publicly (section 3 para. 1). The best qualified applicant, considering education, experience, personal suitability and the required qualifications in the advertisement of the position, will be appointed to the position as director. The director is appointed by the King, i.e. the government (section 20 para. 2 first sentence of the Norwegian Personal Data Act, “Personopplysingsloven”).

b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

The director of the Norwegian DPA is appointed by the King, i.e. the government (Norwegian Personal Data Act section 20 para. 2 first sentence).

c. What is the length of their mandate? Is it renewable? If so, how many times?

Under the current rules, an appointment is permanent and not temporary (section 20 of the Norwegian Personal Data Act read in conjunction with section 9 (1) first sentence of the Norwegian Government Officials Act). However, the King, i.e. the government, may adopt administrative regulations providing for fixed time appointments of the director of the DPA (section 20 para 2. second sentence of the Norwegian Personal Data Act). At present, the government has not adopted such administrative regulations. Accordingly, the rules on the duration of appointments of senior civil servants apply; the director will be appointed in a permanent position and can only be suspended or dismissed subject to strict conditions (section 22 of the Constitution of the Kingdom of Norway and sections 27 to 29 of the Norwegian Government Officials Act).

The current director of the Norwegian DPA was appointed before the entry into force of the GPPR, on the basis of the previous Norwegian Personal Data Act. He was appointed for a 6-year fixed term. The appointment will expire in August 2022, as the new legislation does not apply to appointments made on the basis of the previous Personal Data Act. When the term expires, the director may be appointed for a fixed term if administrative regulations providing for this have been adopted.

45 POLAND

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

According to the Act of 10 May 2018 on the Protection of Personal Data, The President of the Office is the authority competent in matters of personal data protection. (Article 34., Paragraph 1.) The President of the Office shall be appointed and recalled by the Sejm of the Republic of Poland upon the consent of the Senate of the Republic of Poland. (Article 34., Paragraph 3.) The President of the Office shall be subject solely to the Act as regards the scope of his or her tasks. (Article 34., Paragraph 5.)

b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

The President of the Office shall be appointed and recalled by the Sejm of the Republic of Poland upon the consent of the Senate of the Republic of Poland. (Article 34., Paragraph 3.) c. What is the length of their mandate? Is it renewable? If so, how many times?

The term of office of the President of the Office shall last 4 years, counting from the day on which an oath is taken. After the lapse of the term of office, the President of the Office shall perform his or her duties until the duties are taken up by a new President of the Office (Article 34., Paragraph 6.). The same person cannot be a President of the Office for more than two terms of office (Article 34., Paragraph 7.). The term of office of the President of the Office shall expire at the moment of his or her death, recall or loss of Polish citizenship (Article 34., Paragraph 8.). In case of expiry of the term of office of the President of the Office, his or her duties shall be performed by the deputy of the President of the Office designated by the Marshal of the Sejm of the Republic of Poland (Article 34., Paragraph 10.). Prior to assuming his or her duties, the President of the Office shall take the oath before the Sejm of the Republic of Poland. (Article 35., Paragraph 1.). The President of the Office may appoint up to three deputies (Article 36., 1 .)

PORTUGAL

Answer: According to Article 25 of Law 67/98, of 26 October, the Portuguese supervisory authority (CNPD) is composed of “(…) seven members of recognised integrity and merit, the chairman and two members being elected by the Parliament (Assembleia de República) by means of the d’Hondt highest average rule. “The remaining members of the supervisory authority are: (a) two magistrates with over 10 years’ experience, one being a Judge appointed by the Conselho Superior da Magistratura, and the other a Prosecutor appointed by the Conselho Superior do Ministério Público ; (b) two individuals of recognised competence appointed by the Government.”

According to Law 43/2014, to be designated as member of the supervisory authority citizens must be fully enjoying their civil and political rights.

The legal regime of incompatibilities applicable to those who occupy the highest ranks of public offices are applicable to the members of the supervisory authority. Finally, the members of the supervisory authority cannot be removed from office except at the end of their mandate or in the following situations: (a) Death or physical limitation of a permanent or long term duration; (b) Renunciation to the mandate; (c) Loss of mandate. c. What is the length of their mandate? Is it renewable? If so, how many times?

Answer: The members of the CNPD shall have a five-year mandate which shall cease when the newly appointed members take office. According to Law 43/2004, of 18 of august, on the organisation and functioning of the supervisory authority, the mandate of the members cannot be renewed more than once.

47 THE PHILIPPINES

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

The members of the National Privacy Commission, an independent body created under Republic Act 10173 (also known as "the Data Privacy Act") shall be appointed by the President of the Philippines. Under the law, the Privacy Commissioner and Deputy Privacy Commissioners must be recognized experts in the field of information and communications technology and data privacy.

b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other? For the Philippines, it is the head of state (the President) that appoints the Commissioner and Deputy Privacy Commissioners.

c. What is the length of their mandate? Is it renewable? If so, how many times?

Under Section 9 of the Data Privacy Act, the Commissioner and Deputy Commissioners are given a fixed term of three (3) years, renewable for another term of three (3) years.

In support of our answers above, we are supplying the relevant provision from the Data Privacy Act :

SEC. 9. Organizational Structure of the Commission. – The Commission shall be attached to the Department of Information and Communications Technology (DICT) and shall be headed by a Privacy Commissioner, who shall also act as Chairman of the Commission. The Privacy Commissioner shall be assisted by two (2) Deputy Privacy Commissioners, one to be responsible for Data Processing Systems and one to be responsible for Policies and Planning. The Privacy Commissioner and the two (2) Deputy Privacy Commissioners shall be appointed by the President of the Philippines for a term of three (3) years, and may be reappointed for another term of three (3) years. Vacancies in the Commission shall be filled in the same manner in which the original appointment was made.

The Privacy Commissioner must be at least thirty-five (35) years of age and of good moral character, unquestionable integrity and known probity, and a recognized expert in the field of information technology and data privacy. The Privacy Commissioner shall enjoy the benefits, privileges and emoluments equivalent to the rank of Secretary.

The Deputy Privacy Commissioners must be recognized experts in the field of information and communications technology and data privacy. They shall enjoy the benefits, privileges and emoluments equivalent to the rank of Undersecretary.

The Privacy Commissioner, the Deputy Commissioners, or any person acting on their behalf or under their direction, shall not be civilly liable for acts done in good faith in the performance of their duties. However, he or she shall be liable for willful or negligent acts done by him or her which are contrary to law, morals, public policy and good customs even if he or she acted under orders or instructions of superiors: Provided, That in case a lawsuit is filed against such official on the subject of the performance of his or her duties, where such performance is lawful, he or she shall be reimbursed by the Commission for reasonable costs of litigation.

ROMANIA

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

Article 6 of Law no. 102/2005 on the establishment, organization and functioning of the National Supervisory Authority for Personal Data Processing, republished, provides that:

“(2) Any person with Romanian citizenship who is a graduate of a higher education institution may be appointed president or vice-president of the National Supervisory Authority,according to the law. The president and the vice-president are politically independent personswith a strong professional competence, including in the field of personal data protection, of atleast 10 years of specialty, of good reputation and of high civic probity. (3) The capacity of the president or vice-president of the National Supervisory Authorityis incompatible with any other public or private function, except for the teaching function.” Furthermore, Article 7 of Law no. 102/2005, republished, stipulates that: “(1) The proposals for candidates for the position of president or vice-president of the National Supervisory Authority shall be made by the Standing Bureau of the Senate upon recommendation of the parliamentary groups of the two Chambers of Parliament. (2) The candidates submit to the Senate’s Legal, Appointment, Discipline, Immunities and Validation Commission the documents proving that they fulfill the conditions provided by the law in order to act as president or vice-president of the National Supervisory Authority. The candidates will be heard by the Legal, Appointment, Discipline, Immunities and Validation Commission. The Senate decides on their appointment after the plenary. (3) The appointment of the president and the vice-president of the National Supervisory Authority shall be by majority vote of the Senators. If there is no majority at the first ballot, a new ballot will be held with only the candidates in the first two places from the previous round.”

b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

The president of the National Supervisory Authority for Personal Data Processing is appointed by the Senate. Article 6 (1) of Law no. 102/2005, republished “(1) The president and vice-president of the National Supervisory Authority are appointed by the Senate for a term of five years. The term of office of the president and of the vice-president may be renewed once.”

c. What is the length of their mandate? Is it renewable? If so, how many times?

According to Article 6 (1) of Law no. 102/2005, republished, the length of the mandate is of five years and may be renewed once. “(1) The president and vice-president of the National Supervisory Authority are appointed by the Senate for a term of five years. The term of office of the president and of the vice-president may be renewed once.”

49 SAN MARINO

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

Le Commissaire (Guarantor) à la protection des données à caractère personnel est un organe collégial composé d’un Collège et d’un Bureau. Son Conseil d’administartion est commposé de trois membres nommés par le Grand Conseil Général (parlement).

The Guarantor for the protection of personal data is a collegiate body composed of the College and the Office. The Board is made up of three members appointed by the Great and General Council (Parliament).

b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

The Grand and General Council (Parliament), at the time of the appointment of the college identifies the president and the vice-president.

c. What is the length of their mandate? Is it renewable? If so, how many times?

The members remain in office for four years and are renewable for a single time.

50 SENEGAL

Answers to the follow-up questionnaire to decisions taken at the 37th plenary meeting

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country

According to the provisions of Article 6 of the Law n°2008-12 of 25 January 2008, the members of the CDP are appointed as follows: - three members (3) are appointed by the President of the Republic; - one deputy member is appointed by the President of the national Assembly; - one representative (1) of employers’ organisations is designated by the Minister in charge of professional organisations; - two (2) magistrates are designated by the Supreme Court upon proposal of its President; - one attorney (1) is designated by the President of the Bar Association of Senegal; - one representative (1) of Human Rights defence organisations is designated by the Minister of Justice upon proposal of the High Commissioner of Human Rights and Promotion of Peace; - the Director of the State IT Agency (ADIE) is ex-officio member. In addition, a Government Commissioner designated by the Prime Minister takes part in the CDP. The members of the Commission are appointed by decree.

b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

The President of the Commission is appointed by the President of the Republic among its members. The Vice-president is elected among the members of the Commission. A Government Commissioner is designated by the Prime Minister. Besides, the services of the Data Protection Commission are under the authority of its President. Its staff is seconded by the State and the CPD can recruit further staff according to the Labour Code.

c. What is the length of their mandate?

The members of the Data Protection Commission have a four (4) years mandate that can be renewed one. The Government Commissioner is appointed for two years (2) and can be renewed one. Nota Bene: among the eleven (11) members of the Commission, only the President has full time functions. The members are called « Commissioners » and meet once or twice per month in plenary sessions chaired by the President.

51 SERBIA

Contribution of the Republic of Serbia to the Consultative Committee of the Counsel of Europe Convention 108 with regard to the procedure of the appointment of the member/s of data protection supervisory authority.

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

Data protection authority in Serbia is competent for freedom of information and the election of the head of authority is governed by the Law on Free Access to Information of Public Importance ("Official Gazette of RS" No. 120/04, 54/07, 104/09 and 36/10). The Law is currently subject to amendments with the relevant ministry (Ministry of Public Administration and Local Self-government), however, not significant changes are proposed with regard to the transparency of the appointment procedure, e.g. there is no public call for candidates.

According to article 30: “The National Assembly of the Republic of Serbia (hereinafter referred to as the National Assembly) shall appoint the Commissioner by a majority of votes of all members of parliament, acting on proposal of the Committee of the National Assembly responsible for information. The incumbent shall be a person of established reputation and expertise in the field of protecting and promoting human rights. To be eligible for appointment as Commissioner, a person must fulfil the requirements for employment in government agencies, hold a Bachelor's degree in Law and have at least ten years of relevant work experience. A person holding a post in or employed by a government body or a political party shall not be eligible for appointment as Commissioner. The Commissioner shall be appointed to a seven-year term of office. The same person may be appointed Commissioner for maximum two consecutive terms.”

b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

Parliament votes on the candidate proposed by the Parliamentary Board on Culture and Information. Absolute majority required.

c. What is the length of their mandate? Is it renewable? If so, how many times?

7 years, renewable once.

52 SLOVAK REPUBLIC

Under Act no 18/2018 Coll. on Data Protection:

President of Slovak DPA is elected by national parliament at the suggestion of the government. The term is 5 years (renewable once).

Vice-President of Slovak DPA is appointed by the government at the suggestion of President of Slovak DPA. The term is 5 years (renewable once).

Other employees are hired via standard process in state service.

SLOVENIA

To begin with, the GDPR has not been implemented in Slovenia yet. However, the appointment of the Information Commissioner (Slovenian National Supervisory Body for Personal Data Protection, hereinafter: the Information Commissioner) is regulated by the Information Commissioner Act, so we do not expect major changes in this field after the implementation of the GDPR.

According to the Information Commissioner Act:

 The Information Commissioner is appointed by the National Assembly of the Republic of Slovenia on proposal of the president of the Republic of Slovenia.  For the appointment as Information Commissioner, a person must fulfill the following conditions:

- be a citizen of the Republic of Slovenia;

- hold a university degree;

- have at least five years of working experience;

- must not have been convicted by a final decision of a criminal offence punishable by an unconditional punishment of deprivation of liberty.

 The Information Commissioner is appointed for a five year's term and can be reappointed once.

54 SPAIN

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

Under art. 48 of the current Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights (LOPD), the Presidency of the Spanish Agency for Data Protection directs it, holds its representation and dictates its resolutions, circulars and guidelines.

The Presidency of the Spanish Data Protection Agency will be assisted by an Adjoint President to whom the President may delegate its functions, except for those related to the procedures regulated by Title VIII of this organic law. The Adjoint President will be able to replace the President when needed in the terms provided by the Statute of the Spanish Data Protection Agency (a new Statute for the Spanish Data Protection Agency will be developed soon).

The President and Adjoint President will exercise their functions with full independence and objectivity and will not be subject to any instruction in their performance of their duties. The regulatory legislation for the exercise of High offices of the General State Administration will be applicable to them.

b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

Again under art. 48 LOPD, the Presidency of the Spanish Agency for Data Protection and the Adjoint President shall be appointed by the Government, at the proposal of the Ministry of Justice, between persons of recognized professional competence, particularly in matters of data protection.

Two months before the expiration of the mandate or, in the rest of the causes of cessation of office, when it has occurred, the Ministry of Justice will order the publication of the public call for candidates in the Official State Gazette.

c. What is the length of their mandate? Is it renewable? If so, how many times?

The mandate of both the President and Adjoint President of the Spanish Data Protection Agency lasts for five years and can be renewed once for an equivalent 5-year term of office.”

55 SWEDEN

The Advisory Council at the DPA consist of seven members and the Director General is the chairman. The other six consists of members appointed by the Government. Three of those are chosen after nomination from parliamentary parties, and consist of members of parliament. The other three are chosen after recommendation and on the basis of their knowledge of public administration and issues close to the authority's area of responsibility. They are usually appointed for a period of three years with a possibility of reappointment. It is unusual for a member of a supervisory council to sit for a mandate period longer than nine years.

The current General Director of the Swedish DPA is appointed for a six year period. That is the general practice in Sweden for positions of this kind, with a possibility to extend for another three year period.

56 SWITZERLAND

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

The federal Data Protection and Transparency Commissioner is appointed by the Federal Council upon a selection by an ad hoc committee following a competition. The appointment is submitted to the approval of the Federal Assembly (Parliament).

b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

As indicated above, the Commissioner is appointed by the government and his/her appointment must be approved by the Parliament. The Commissioner hires the staff of the authority. Until recently, the deputy Commissioner was also appointed by the government.

c. What is the length of their mandate? Is it renewable? If so, how many times?

The Commissioner is elected for a 4 years mandate which can be tacitly renewed; there is no limit for the number of mandates.

The Data Protection federal law is currently being revised and changes will be introduced for the appointment procedure, notably regarding the duration of the mandate that will be limited to two renewals. In the future, it is not excluded that the Commissioner be elected by the Parliament instead of only confirmed by it.

57 TUNISIA

a. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

The 2004 Law provides that the members of the Data Protection Authority (INPDP) are appointed by governmental decree. The President is appointed by the Head of State and the 14 other member are proposed by ministerial departments. The expert is proposed by the Minister in charge of Human Rights. The members have a three years renewable mandate and cannot be revoked. However, the draft law currently pending adoption establishes two distinct steps for the choice of the members: the Head of State will propose twice as much names for the number of vacancies in the DPA board and the Parliament will choose the members among these proposals and appoint them for a six years non-renewable mandate.

b. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

See the answers to question a. Currently, this responsibility is exclusively the one of the Head of State upon proposals of the ministers. In the current draft, it is the Head of the Government who will propose candidates to the Parliament that will appoint the members.

c. What is the length of their mandate? Is it renewable? If so, how many times?

See the answers to question a. Currently the mandate is of three years and is renewable. In the draft law, it will be of six years and will not be renewable. The current law does not limit the mandate renewal. The President is currently serving his second mandat and nothing prevents him from being appointed another time, should the draft law not be adopted. The draft law provides for a limit of one 6 years mandate.

58 59 UNITED KINGDOM

A. Describe the election/appointment procedure of the member/s of the supervisory authority in your country.

 Schedule 12 of the Data Protection Act 2018 sets out publicly the terms of appointment of the Information Commissioner. The Information Commissioner is appointed by Her Majesty by Letters Patent, upon a recommendation from Government.

B. Which institution appoints the head or members of the DPA – the parliament, government, head of State, other?

 The recruitment process for our current Information Commissioner is a matter of public record, in the form of report (ref HC 990) by the Digital, Culuture, Media and Sports Select Committee of the UK Parliament.  The Government has no involvement in the appointment of ICO officials. Under Schedule 12(5) of the DPA 2018, the Commissioner has statutory responsibility for the appointment of officers and staff.

C. What is the length of their mandate? Is it renewable? If so, how many times?

 Schedule 12 of the Data Protection Act 2018 states that the Commissioner is to hold office for a term not exceeding 7 years, as may be determined at the time of the Commissioner’s appointment. It also stipulates that a person cannot be appointed as the Commissioner more than once.

60 EUROPEAN DATA PROTECTION SUPERVISOR (EDPS)

Regulation 2018/1725 (replacing the former Regulation 2001/45) is applicable as from 11 December 2018 and sets data protection rules for EU Institutions and bodies in line with the standards imposed on other organizations and business by the GDPR.

Article 53 of this Regulation provides the following rules for the appointment of the EDPS:

"Appointment of the European Data Protection Supervisor

1. The European Parliament and the Council shall appoint the European Data Protection Supervisor by common accord for a term of five years, on the basis of a list drawn up by the Commission following a public call for candidates. The call for candidates shall enable all interested parties throughout the Union to submit their applications. The list of candidates drawn up by the Commission shall be public and shall consist of at least three candidates. On the basis of the list drawn up by the Commission, the competent committee of the European Parliament may decide to hold a hearing in order to enable it to express a preference.

2. The list of candidates referred to in paragraph 1 shall be made up of persons whose independence is beyond doubt and who are acknowledged as having expert knowledge in data protection as well as the experience and skills required to perform the duties of European Data Protection Supervisor.

3. The term of office of the European Data Protection Supervisor shall be renewable once.

4. The duties of the European Data Protection Supervisor shall cease in the following circumstances:

(a) if the European Data Protection Supervisor is replaced;

(b) if the European Data Protection Supervisor resigns;

5. The European Data Protection Supervisor may be dismissed or deprived of his or her right to a pension or other benefits in his or her stead by the Court of Justice at the request of the European Parliament, the Council or the Commission, if he or she no longer fulfills the conditions required for the performance of his or her duties or if he or she is guilty of serious misconduct.

6. In the event of normal replacement or voluntary resignation, the European Data Protection Supervisor shall nevertheless remain in office until he or she has been replaced.

7. Articles 11 to 14 and 17 of the Protocol on the Privileges and Immunities of the European Union shall apply to the European Data Protection Supervisor".